Financial Crime World

BOJ Issues New Guidelines for Banking Sector’s Cybersecurity Efforts

The Bank of Jamaica (BOJ) has issued a new consultation paper outlining guidelines for banking institutions to manage cyber risks, emphasizing the importance of board-level oversight in containing potential threats to financial stability. The proposed guidelines aim to establish minimum standards for the management of cyber risk and will become binding once finalized.

Importance of Board-Level Oversight

According to Deputy Governor Jide Lewis, the BOJ is working closely with banks to ensure they have robust systems in place to manage cyber threats. “We have also been speaking about corporate governance so that they know the buck stops with them,” he emphasized.

The guidelines emphasize that boards of directors are responsible for:

  • Establishing their institution’s cyber risk tolerance
  • Overseeing the implementation of cyber risk management strategies, policies, procedures, and controls that support the continuity of critical operations and core business lines
  • Ensuring adequate access to cybersecurity expertise, whether internal or external
  • Allocating sufficient time on meeting agendas to discuss cyber risk management

Cyber Threats to Financial Stability

Cyber threats, including hacking, malware, phishing, and other types of attacks, pose a significant hazard to financial stability. These incidents can cause:

  • Significant financial loss
  • Legal liabilities
  • Reputational damage

The BOJ estimates that bank fraud currently totals around $800 million, although this represents only a small proportion of the overall banking system.

Banking System Size and Fraud Comparison

Lewis noted that while the incidents are concerning, they are relatively small compared to the size of the banking system, which stands at approximately $3.5 trillion:

  • “It is still quite small: banking is $3.5 trillion; fraud is between $500 million and $1 billion,” he said.

BOJ’s Risk-Based Examinations

The central bank already conducts risk-based examinations of deposit-taking institutions (DTIs), requiring them to put an effective framework in place to manage cyber risk exposures inherent in their operations.

Importance of Cyber Risk Management

The BOJ emphasized the importance of deposit-taking institutions understanding and managing their cyber risks to:

  • Protect assets
  • Protect operations
  • Protect information entrusted to customers and stakeholders

Feedback Opportunity

The proposed guidelines are available online for feedback, which will be used to refine the document before it becomes binding on banking licensees.